ok
On Sun, Nov 05, 2017 at 10:39:18PM +0100, Patrick Wildt wrote:
> Hi,
>
> for IPcomp we need to load explicit ESP-flows for the IPIP or IPCOMP
> tunneled packets, otherwise every packet between the gateways will
> be sent into the tunnel (e.g. ICMP, too).
>
> ok?
>
> Patrick
>
> diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
> index 706f9ebbe1d..cacfe690008 100644
> --- a/sbin/iked/ikev2.c
> +++ b/sbin/iked/ikev2.c
> @@ -4942,16 +4942,21 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa
> *sa)
> {
> struct iked_childsa *other, *nother, *csa = NULL, *csb = NULL;
> struct iked_flow *flow, *flowa = NULL, *flowb = NULL;
> + struct iked_flow *flowc = NULL, *flowd = NULL;
> struct iked_flow *nflow, *oflow;
>
> if ((csa = calloc(1, sizeof(*csa))) == NULL ||
> (csb = calloc(1, sizeof(*csb))) == NULL ||
> (flowa = calloc(1, sizeof(*flowa))) == NULL ||
> - (flowb = calloc(1, sizeof(*flowb))) == NULL) {
> + (flowb = calloc(1, sizeof(*flowb))) == NULL ||
> + (flowc = calloc(1, sizeof(*flowc))) == NULL ||
> + (flowd = calloc(1, sizeof(*flowd))) == NULL) {
> free(csa);
> free(csb);
> free(flowa);
> free(flowb);
> + free(flowc);
> + free(flowd);
> return (-1);
> }
>
> @@ -5039,8 +5044,9 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa
> *sa)
> }
> }
>
> - /* setup ESP flows for gateways */
> + /* setup ESP flows for gateways (IPCOMP) */
> flowa->flow_ipcomp = 1;
> + flowa->flow_ipproto = IPPROTO_IPCOMP;
> flowa->flow_dir = IPSP_DIRECTION_OUT;
> flowa->flow_saproto = IKEV2_SAPROTO_ESP;
> flowa->flow_local = &sa->sa_local;
> @@ -5054,22 +5060,36 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa
> *sa)
> (sa->sa_local.addr_af == AF_INET) ? 32 : 128;
> flowa->flow_ikesa = sa;
>
> - /* skip if flow already exists */
> + /* matching incoming flow */
> + memcpy(flowb, flowa, sizeof(*flowb));
> + flowb->flow_dir = IPSP_DIRECTION_IN;
> + memcpy(&flowb->flow_dst, &flowa->flow_src, sizeof(flowa->flow_src));
> + memcpy(&flowb->flow_src, &flowa->flow_dst, sizeof(flowa->flow_dst));
> +
> + /* setup ESP flows for gateways (IPIP) */
> + memcpy(flowc, flowa, sizeof(*flowc));
> + flowc->flow_ipproto = IPPROTO_IPIP;
> +
> + /* matching incoming flow */
> + memcpy(flowd, flowb, sizeof(*flowd));
> + flowd->flow_ipproto = IPPROTO_IPIP;
> +
> + /* skip if flows already exists */
> TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
> - if (flow_equal(flow, flowa)) {
> + if (flow_equal(flow, flowa) || flow_equal(flow, flowb) ||
> + flow_equal(flow, flowc) || flow_equal(flow, flowd)) {
> free(flowa);
> free(flowb);
> + free(flowc);
> + free(flowd);
> goto done;
> }
> }
>
> - memcpy(flowb, flowa, sizeof(*flowb));
> - flowb->flow_dir = IPSP_DIRECTION_IN;
> - memcpy(&flowb->flow_dst, &flowa->flow_src, sizeof(flowa->flow_src));
> - memcpy(&flowb->flow_src, &flowa->flow_dst, sizeof(flowa->flow_dst));
> -
> TAILQ_INSERT_TAIL(&sa->sa_flows, flowa, flow_entry);
> TAILQ_INSERT_TAIL(&sa->sa_flows, flowb, flow_entry);
> + TAILQ_INSERT_TAIL(&sa->sa_flows, flowc, flow_entry);
> + TAILQ_INSERT_TAIL(&sa->sa_flows, flowd, flow_entry);
>
> done:
> /* make sure IPCOMP CPIs are not reused */
EOF
